Bug Bytes #67 – Hacking Containers, Auth0 Bypass & @Hussein98d’s Methodologies

By Intigriti

April 21, 2020

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 10 to 17 of April.

Intigriti news

Our favorite 5 hacking items

1. Resource of the week

Attacking and Auditing Docker Containers and Kubernetes Clusters

After last week’s training on AWS and Azure, @appseccouk is now generously open sourcing another complete training course. This one is about hacking Docker containers and Kubernetes clusters. It includes documentation, Docker Lab virtual machines and an intentionally vulnerable Kubernetes cluster (Google Cloud).

2. Writeup of the week

JSON Web Token Validation Bypass in Auth0 Authentication API

This is a nice writeup on bypassing JWT validation. The app checks that the algorithm is not `none`, but relies on a blacklist. Using `alg: nonE` bypasses the case-sensitive filter, and allows for forging JWT tokens for any user. @zantedotnz also shares the tool he used and links to resources on JWT hacking.

3. Videos of the week

@hussein98d Talks About Bug Bounties, Recon Methodology, and Shows Some of the Tools He Uses!
Attacking Secondary Contexts in Web Applications – Sam Curry
Code that gets you pwn(s|’d) – Louis & Slides
Using Interlace for organising tests, and multithreading over targets – @codingo

These are the videos/talks I plan on watching in priority this week. Why? Because I want to learn about @hussein98d’s recon process and bug hunting methodology, @snyff discussing less obvious vulnerabilities, how @codingo_ uses Interlace, and @samwcyo’s attacks on secondary contexts.

4. Non technical item of the week

How to Remember Everything : Using Roam for Bug Bounty Notes

Choosing a note-taking app is such a never-ending rabbit hole! 🤦‍After settling on Joplin, then discovering Notion’s great UI and features, I’m now tempted to check out Roam. @bonjarber does a great job of explaining why Roam’s  graph-based approach solves problems all apps based on a “hierarchical tree” have (including Notion).

5. Tutorials of the week

The Wondeful World of OAuth: Bug Bounty Edition
The 5 Most Common GraphQL Security Vulnerabilities & vulnerable-graphql-api
Bypassing modern XSS mitigations with code-reuse attacks

Depending on the bug classes you are focusing on, these tutorials might come in very handy. The OAuth one will give you ideas for new attacks to test for. The GraphQL article will give you an idea of common GraphQL bugs, and it is accompanied with an intentionally vulnerable API playground. The last tutorial is an excellent introduction to code-reuse attacks, and how to leverage them to bypass the latest XS mitigations like CSP, WAFs and HTML sanitizers.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

Tools

If you don’t have time

More tools, if you have time

  • Default HTTP Login Hunter & Introduction: Login hunter of default credentials for administrative web interfaces leveraging NNdefaccts dataset

  • haktldextract: Extract domains/subdomains from URLs en masse

  • wpvulns.com: All WordPress version vulnerabilities for free without any limitations

  • ExGen: A simple python script to create exploit templates for XSSI, JSONP Hijacking, Clickjacking and CORS vulnerabilities

  • FinDOM-XSS: DOM XSS scanner in Bash

  • MagicRecon: Bash wrapper around many recon tools

  • QuickSQL: A simple MSSQL query tool that allows you to connect to MSSQL databases and does not require administrative level rights to use

  • Lollipopz: Data exfiltration utility for testing detection capabilities

  • Pet: Simple command-line snippet manager, written in Go

  • SweetPotato & Introduction: Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019

  • PowerSharpPack: Many offensive C# binaries now usable from within powershell

  • pwndrop & Pwndrop – Self-hosting Your Red Team Payloads: Self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Coronavirus

Zoom

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 04/10/2020 to 04/17/2020.

Curated by Pentester Land & Sponsored by Intigriti

You may also like